Pages:
Author

Topic: [XPM] 7800 STOLEN - Please read / help (Read 3382 times)

hero member
Activity: 820
Merit: 1000
August 20, 2013, 09:00:45 AM
#43
Thanks everyone for all your help and suggestions.  I still haven't gotten to the bottom of this but, thanks to the posts here, I do realise how easily I could have been compromised.  All of the VPS images I had used have been deleted already so I'm not able to check those for signs of malicious access.  But my best guess is that one of the early ones I used was compromised, before I started using an encrypted version of the wallet. 

Once I find some time I will try to collate all of the security-improving suggestions and post them into a new thread for everyone to benefit from.

Thanks
Paul

newbie
Activity: 18
Merit: 0
August 19, 2013, 06:27:59 PM
#42
for someone who knows more about it than me heeres the transaction details

Array
(
    [hex] => 0100000001bf21d2bf33ad48cb59ef160ae204dda5d7bbf5e6be9d8f75d5fb95d620098edd00000 0004a4930460221008e1c6aa6c28c10456a608fbc1c77e6fd8816a3499a942cb71135669fdd9a5c 7d022100fc7ef05f56270f91a59da7ec421c28eb1966bb050daf275491ffc235bc4d569f01fffff fff0240aeeb02000000001976a914c9bd871c1b681e43aec2bba71ec46ac9dc82713788ac00ca9a 3b000000001976a914e41c51584730272c896b6ddd15af7f6a14dcea2c88ac00000000
    [txid] => c0bcfde4fa1ac44d96edeb448bd5d7fa3ecf73f525e69058d69a01cf695c0400
    [version] => 1
    [locktime] => 0
    [vin] => Array
        (
           
  • => Array
                (
                    [txid] => dd8e0920d695fbd5758f9dbee6f5bbd7a5dd04e20a16ef59cb48ad33bfd221bf
                    [vout] => 0
                    [scriptSig] => Array
                        (
                            [asm] => 30460221008e1c6aa6c28c10456a608fbc1c77e6fd8816a3499a942cb71135669fdd9a5c7d02210 0fc7ef05f56270f91a59da7ec421c28eb1966bb050daf275491ffc235bc4d569f01
                            [hex] => 4930460221008e1c6aa6c28c10456a608fbc1c77e6fd8816a3499a942cb71135669fdd9a5c7d022 100fc7ef05f56270f91a59da7ec421c28eb1966bb050daf275491ffc235bc4d569f01
                        )

                    [sequence] => 4294967295
                )

        )

    [vout] => Array
        (
           
  • => Array
                (
                    [value] => 0.49
                    [n] => 0
                    [scriptPubKey] => Array
                        (
                            [asm] => OP_DUP OP_HASH160 c9bd871c1b681e43aec2bba71ec46ac9dc827137 OP_EQUALVERIFY OP_CHECKSIG
                            [hex] => 76a914c9bd871c1b681e43aec2bba71ec46ac9dc82713788ac
                            [reqSigs] => 1
                            [type] => pubkeyhash
                            [addresses] => Array
                                (
                                   
  • => AaAaWgCpqebejux1wyw1H8yQvuPCizy6yy
                                )

                        )

                )

            [1] => Array
                (
                    [value] => 10
                    [n] => 1
                    [scriptPubKey] => Array
                        (
                            [asm] => OP_DUP OP_HASH160 e41c51584730272c896b6ddd15af7f6a14dcea2c OP_EQUALVERIFY OP_CHECKSIG
                            [hex] => 76a914e41c51584730272c896b6ddd15af7f6a14dcea2c88ac
                            [reqSigs] => 1
                            [type] => pubkeyhash
                            [addresses] => Array
                                (
                                   
  • => Aca1dndvLHK1BLWEGsJE2Ci35Wg4azZy2F
                                )

                        )

                )

        )

    [blockhash] => 7db340b42e39e14554b4ac7ee831a646df1dbbcb547cd4ebba2aa413a0de3858
    [confirmations] => 1830
    [time] => 1376860711
    [blocktime] => 1376860711
)
   
newbie
Activity: 18
Merit: 0
August 19, 2013, 06:17:15 PM
#41
just my 2 cents but most vps will keep a log of ip addresses for incomeing connections if you could get this list it would help narrow it down you could then do a trace route/whois and backtrace to general area and isp from there you could contact the isp with the info and go from there i have to do this form time to time on ppl who jump bail when i can make contact with them online it might be a longshot but worth a try im recently new to mining so im afrain i cant donate coins but i have years of experience in tracking people and things down so will donate my time ive never tracked down a wallet addy before but theres a first time for everything Smiley
member
Activity: 98
Merit: 10
August 19, 2013, 05:55:11 PM
#40
I'm very sorry to hear about this.

I guess the time span and amount of instances you have been running, you probably have not kept any or may disk images or logfiles.
It would be interesting to find out how your wallet or hosts have been compromised. My guesses would be via a disk image or via ssh and weak credentials.

Some suggestions to miners about what can you do with ssh to improve security.

  • Open up ssh only to what is necessary. 0.0.0.0 is alot of addresses, not to mention IPv6 addresses. If you are using ec2, you can update the firewall from the web interface when your IP when you need to log in from elsewhere. If you are on DHCP (your ip address changes), you can use a subnet (eg, x.x.x.x/24) which will still greatly reduce your exposure to attack
  • use ssh keys, not passwords
  • keep your ssh private key secure (keep it only on the machines you need use to connect to instances, a backup on USB )
  • you can encrypt your key with a passphrase, look into this and also ssh-agent
  • If you must use windows, use anti virus software, scan regularly, keep it up to date. MacOS and Linux are not immune either
  • If you muse use a password, use a strong one. http://en.wikipedia.org/wiki/Strong_password
  • Check the documentation for sshd, and edit your ssh_config file, especially these options
  • AllowUsers - use this option in sshd_config to whitelist the usernames you need to access your system
  • PermitRootLogin - set this to no or without-password, use sudo to become root if you need to
  • Don't run a sshd on the machine you use to connect to your instances if you don't need to. If you must, then secure that too.

ssh ports are being probed for weak passwords all the time. If you run sshd without a firewall, just look at the logs.
By running the primecoind daemon (or any coin for that matter) you publicize your IP number to others (and the fact that you probably have a wallet that might even cointain some coins in it) 

Regarding wallets, I won't go into protecting your wallet or the best way to move your funds around but leaving copies of wallets lying around is not a good idea. Ideally a provider zeroes the disk when a customer stops using it but it may not always be the case, deleting a physical disk takes time.

When you are done using a machine and no longer need it's wallet file should can delete your wallet or even better,  "wipe" (apt-get install wipe,  wipe FILENAME) or write zeroes over it (dd if=/dev/zero of=PATHTOYOURWALLET bs=1024 count=100). WIth SSDs, you can't be sure that everything is ever deleted, but if the file is wiped or zeroed, you can be fairly sure that the file cannot be recovered without special tools and physical access to the disk, or without administrative access to the disk system in a larger provider. When you "rm" a file, usually, it is just the directory entry and list of block a file is using that is deleted. If not wiped or written over, it is possible for a file to be reconstructed.

Treat your wallet backups as you would treat your wallet, if someone finds your backup, it's almost as good as your wallet.dat

Ideally the ssh settings and user accounts are set on your first miner which you then clone.
Wiping the wallet could be made part of the shutdown script, make your you have a safe backup.
member
Activity: 105
Merit: 10
August 19, 2013, 05:45:50 PM
#39
So without rpcallowip=127.0.0.1, could someone bruteforce the rpc password and do a sendtoaddress? But he said he ony had port 22 open.
And how about upnp?
sr. member
Activity: 368
Merit: 250
bitify.com - Bitcoin Marketplace & Auction site
August 19, 2013, 05:03:31 PM
#38
Incidents like this make me wonder how long it's gonna be before crypto gets a proper organization to avoid and resolve such activities. With so many coins losses from theft, scams and password/wallet loss, even guys like us who have dedicated a lot of their time, effort and money into crypto are going to give up on it one day. A $5,000 loss and a huge Amazon bill would be quite depressing and should it happen again it WILL kill the trust in crypto for both Paul and those close to him.

I'm really sorry this happened to you mate, I don't understand why bad things happen to good people, this universe sucks!

I will be sending few coins across today, and I urge everyone who can to do the same. I know Paul quite well and I know that he'd do the same should this happen to me or anyone in the community.

Hope you'll catch him mate...

sr. member
Activity: 266
Merit: 250
August 19, 2013, 03:54:00 PM
#37
for future use of vpn i urge everyone to do this


Code:
apt-get update && apt-get --yes upgrade

useradd -m -G sudo,adm -s /bin/bash yournewusername

passwd root

start a text file one your home pc and start beating up your keyboard , use the shift key and numbers to get special chars.  about 20-50 chars long should do.

it should like like

!W45ygbw4%BN56j8u46m7mki578,o0,5mrn6Uw4b5vy1q34tv13%By2n456@$5y2v#$%t1cf34Tg2v345t24%BY@$YH#%6unh5&U#bv45c@#$!#!#RE$T!#$VQ#$

save your text file!!!! and don't lose it.

make two of these passwords, so you can add a secure password to your new user u added.

Code:
passwd yournewusername

next you should also disable root access

Code:
nano /etc/ssh/sshd_config

change the permit root login option to no , save the file.

Code:
exit

log out as root, and log back in using your new username and password in your text file. Obviously you will just copy / paste the password, right click on your ssh console to paste it in.

This should prevent anyone from getting into your vps.
hero member
Activity: 686
Merit: 504
always the student, never the master.
August 19, 2013, 12:58:15 PM
#36
are you the guy who accused me of stealing 7000 xpms on mcxnow chat? i'm sorry for your loss man but i kinda take offense to being accused of it out of the blue. i understand you were running j-coin on the same server iirc, hence your suspicions since i made j-coin. if someone could strip j-coin down and look it over for signs of a wallet stealer i'd really appreciate it. I don't need this bad publicity with everone already accusing me of being a scammer over the Gascoin debacle
Oh I absolutely didn't accuse - I think there was a misunderstanding there.  Someone asked what else I had installed on that machine and I said that the only thing was the j-coin wallet.  No implication there and I didn't for a minute suggest that you/it were to blame.  I've said all along I thought the wallet was probably copied weeks ago.  Sorry if it came across wrongly. 

ah okay, i just wanted to clear that up since i caught the tail end of the conversation. you had already moved on from the conversation and the trolls were all over me giving me the what for. again, i'm sorry for your loss. i hope they catch the guy. all scammers must pay
hero member
Activity: 820
Merit: 1000
August 19, 2013, 12:54:57 PM
#35
are you the guy who accused me of stealing 7000 xpms on mcxnow chat? i'm sorry for your loss man but i kinda take offense to being accused of it out of the blue. i understand you were running j-coin on the same server iirc, hence your suspicions since i made j-coin. if someone could strip j-coin down and look it over for signs of a wallet stealer i'd really appreciate it. I don't need this bad publicity with everone already accusing me of being a scammer over the Gascoin debacle
Oh I absolutely didn't accuse - I think there was a misunderstanding there.  Someone asked what else I had installed on that machine and I said that the only thing was the j-coin wallet.  No implication there and I didn't for a minute suggest that you/it were to blame.  I've said all along I thought the wallet was probably copied weeks ago.  Sorry if it came across wrongly. 
hero member
Activity: 686
Merit: 504
always the student, never the master.
August 19, 2013, 12:23:22 PM
#34
are you the guy who accused me of stealing 7000 xpms on mcxnow chat? i'm sorry for your loss man but i kinda take offense to being accused of it out of the blue. i understand you were running j-coin on the same server iirc, hence your suspicions since i made j-coin. if someone could strip j-coin down and look it over for signs of a wallet stealer i'd really appreciate it. I don't need this bad publicity with everone already accusing me of being a scammer over the Gascoin debacle
sr. member
Activity: 420
Merit: 250
August 19, 2013, 11:02:56 AM
#33
I think Ive got it.

Im gonna do something else which I hope is just as good.

Create a bootable USB with Ubuntu or similar on it and have a wllaet on there and keep my saving on it.

I just plug it in every now and again to update the wallet with coins Ive sent.

Is there a expiry time for transfere?

e.g.

I send coins to my USB wallet on Saturday and only update on the Friday. Will they always show up?

Sorry to OP for slightly derailing the thread but I'm sure others will find this info useful or at least make them think about their own security.

Your wallet could be offline for 10 years and still get the transaction when you bring it online.

If you go with the bootable linux. Make sure you make a copy, usb flash drives dont fail often but THEY DO FAIL so be careful.

Another option is to print out a paper wallet and send coins to it. Just don't lose it.  Cheesy
member
Activity: 113
Merit: 10
August 19, 2013, 10:34:02 AM
#32
I think Ive got it.

Im gonna do something else which I hope is just as good.

Create a bootable USB with Ubuntu or similar on it and have a wllaet on there and keep my saving on it.

I just plug it in every now and again to update the wallet with coins Ive sent.

Is there a expiry time for transfere?

e.g.

I send coins to my USB wallet on Saturday and only update on the Friday. Will they always show up?

Sorry to OP for slightly derailing the thread but I'm sure others will find this info useful or at least make them think about their own security.
sr. member
Activity: 420
Merit: 250
August 19, 2013, 09:54:38 AM
#31
Sounds great, Im a bit new...what a cold wallet?

Is it one that does stay online and up-to-date with the blockchain?

You keep it in the freezer.  Tongue

The cold wallet does not stay synced to the block chain. You just backup your wallet.dat Once you have the address you can send coins to it and all you have to do to use thoes coins is to import the wallet.dat into a wallet/client.

I'm not sure how clear i'm being. lol
member
Activity: 113
Merit: 10
August 19, 2013, 09:52:18 AM
#30
Sounds great, Im a bit new...what a cold wallet?

Is it one that does stay online and up-to-date with the blockchain?

Exactly the opposite  Smiley

Typo, meant Doesn't

Cheers! Smiley

UPDATEAdmin from ypool has responded.


:jh00: I have already contacted paulthetafy. Sadly we have no transaction that involves the thief's XPM address.

Hope some other avenue opens up.
hero member
Activity: 820
Merit: 1000
August 19, 2013, 09:43:11 AM
#29
In an effort to help prevent this from happening to others I have a question:
- You mentioned "those instances were 100% using an encrypted wallet." I thought you couldn't mine with an encrypted wallet?
- On EC2 where you running windows or linux instances? I know with linux instances you can only log in with your keypair (pem) and all ports are blocked unless you open them with a custom security group config. Not sure on windows (I believe you can set a custom administrator password and clone with the same windows login ID and RPD easily to it)

As you mentioned this likely happened earlier though... This is why I do not use shared wallets. Or store my central wallets on windows =/


Yes mining with an encrypted wallet is fine.  You can't use sendtoaddress while encrypted though.
I was using Linux instances with all incoming ports closed except 22 for SSH.

I've learned my lesson with shared wallets.  Even though it is significantly easier to manage across lots of machines, I'll never do it again!

Thats a lot of XPM, hope my donation helps cover a small piece of the costs. Please keep us updated on your findings. You could make a good guide about securely using your wallet on different machines, which in itself could be worth some nice donations.

Good luck and I hope the XPM will come back to you.
Thanks, that's very kind of you
legendary
Activity: 2100
Merit: 1167
MY RED TRUST LEFT BY SCUMBAGS - READ MY SIG
August 19, 2013, 09:36:20 AM
#28
I don't have any coin i guess worth anything like 7k  however would be good to know there is a way to thwart people stealing your coins to some degree. I don't see how it would work ? why was he only trying to draw 10xpm at one time, why did he not extract the coins in one large transaction?

I would guess because the block value is a little over 10 XPM right now.

Really sorry to hear what happened to you, Paul. I had my Bter account hacked a couple of months back, and while my losses pales in comparison to yours, they were quite significant to me and hurt a lot.

Mail the shit out of all the exchanges and tell them not to accept any transactions from that address. Also keep a lookout to see where the coins move.
Indeed 7068 were taken in one hit, then 10 XPM at a time when each block matured.  The blocks were all around 10.5 in value to be on the safe side and account for fees he was sending 10 at a time.  The script was simply...
Code:
#!/bin/bash
while true; do ./primecoind sendtoaddress 10.4; done;


Ah, thanks i understand now. Sorry to hear this.

"Mail the shit out of all the exchanges and tell them not to accept any transactions from that address"   - would that work?  could they just not create another wallet on another machine and clean them through that?
I wonder in the future if the actual coins can be identified and black listed if proven to be stolen. Probably not i guess since that would have been done, and who would decide if they were really stolen or not hmmm

Sadly the sort of person that would hack into your machine and take every single coin is probably not going to give any back. Sad
newbie
Activity: 39
Merit: 0
August 19, 2013, 09:27:19 AM
#27
Thats a lot of XPM, hope my donation helps cover a small piece of the costs. Please keep us updated on your findings. You could make a good guide about securely using your wallet on different machines, which in itself could be worth some nice donations.

Good luck and I hope the XPM will come back to you.
vip
Activity: 756
Merit: 503
August 19, 2013, 09:19:35 AM
#25
Perhaps he brute forced the root password and got into SSH/SFTP? If so, Fail2ban could have prevented that and i recommend every server user to install it. Those VPS mining guides, while useful, did not take malicious intent into account.
Sucks man...
Fail2ban is vulnerable to DOS of the entire server via log poisoning.

Deactivate password login and only use key-based authentication, problem solved.
full member
Activity: 210
Merit: 100
I not use any kind of messenger beware of scammers
August 19, 2013, 09:16:09 AM
#24
I am sorry for your loss as well.

In an effort to help prevent this from happening to others I have a question:
- You mentioned "those instances were 100% using an encrypted wallet." I thought you couldn't mine with an encrypted wallet?
- On EC2 where you running windows or linux instances? I know with linux instances you can only log in with your keypair (pem) and all ports are blocked unless you open them with a custom security group config. Not sure on windows (I believe you can set a custom administrator password and clone with the same windows login ID and RPD easily to it)

As you mentioned this likely happened earlier though... This is why I do not use shared wallets. Or store my central wallets on windows =/


The problem with cold wallets is, by design, you have no access to it. Which makes it hard to "sell" coins to recoup expenses (and opens it up to being stolen via a compromised system)
Pages:
Jump to: